British companies that use face recognition as part of video authentication could fall foul of a major new data regulation that comes into force next year.Under the incoming General Data Protection Regulation (GDPR), “personal data resulting from specific technical processing relating to the physical … characteristics of a natural person, which allow or confirm the unique identification of that natural person” is considered to be biometric data. It specifically includes facial images.An individual's face being seen over video chat to confirm identity would fall within this description, notes a report by Pinsent Masons LLP released this week.The relevance of this is that biometric data is considered a special category of data under the GDPR. The processing of this type of data is prohibited unless one of the exceptions listed in Article 9 of the GDPR is met. Failure to satisfy one of those exceptions would mean that the processing of the biometric data is in breach of the GDPR.In practice, a robust and specific consent to processing of facial images should be sought from customers, ideally on downloading the app to enable the video authentication to take place, says the law firm.The firm also notes that video authentication technology is already functional in countries such as Germany and the Netherlands, with many European countries having already regulated to allow for it.